Any ad tech vendor clinging to the notion that legitimate interest alone will render them compliant for the General Data Protection Regulation may need to think of a plan B — and fast.

Less than four months remain until GDPR enforcement, yet confusion remains about compliance and how the regulation will be enforced, at least in some quarters.

It appears that location-based ad tech vendors are among those in the worst pickle, with many claiming loudly that their businesses comply with the GDPR under its “legitimate interest” clause, according to sources. In doing so, they hope to skirt some of the more arduous hurdles around obtaining consumer consent for data use. While some businesses will be able to claim a legitimate interest in using people’s data without having to seek explicit permission, no ad tech vendor that relies on bid-stream data to create segments and audiences can use the legitimate-interest loophole.

But that is indeed what many are doing, according to sources. The lack of detail on how the GDPR will be enforced has lulled some into a false sense of security, which could backfire on them later.

“If a [location] ad tech vendor tells you they can use legitimate interest and they can’t explain why, they’re morons and don’t understand at all what GDPR means,” said one ad tech executive, who spoke on condition of anonymity. Most location vendors that rely on bid-stream data are claiming legitimate interest, with nearly none of them having grounds for doing so, the executive added.

Some agency groups have sent out RFPs for location data, and responses from location vendors have not impressed them regarding plans for making their businesses compliant with the law, according to sources. “They’re [agencies] getting high-level claims of legitimate interest but no real meat on the bones,” said the same executive. “It will likely result in agencies culling [location] vendors.”

Some third-party vendors have appeased agencies, saying they are reducing their dependence on bid-stream data. Regardless, agencies aren’t satisfied. “The feedback you get with [independent] tech providers is way too high-level,” said a senior media agency executive, who preferred to stay anonymous. “They say they’re 100 percent compliant or that they have these ‘high-level’ principles, but they don’t really answer my questions around what levers they have in place to act on the right to be forgotten, for example, or to send me all the ways they process data.”

If the vendors are important partners to this agency group, then they’ll undergo data protection impact assessments to assess whether they’re compliant, according to the same agency executive. “If they’re not important partners, we will drop them.”

To some extent, it’s understandable that some vendors are latching on to legitimate interest as a get-out-of-jail-free card: Details on how the GDPR will be enforced remain broad, leaving companies searching for loopholes. “Companies risk being wiped out partially, if not entirely, and many are fighting tooth and nail, climbing mirrors to avoid the collapse of their commercial relationships, buying time and getting some oxygen while waiting to see what will happen,” said a media executive, who spoke on condition of anonymity.

But the core rules seemingly ignored by vendors assuming they are safe under legitimate interest are clear: A business must balance its interests against an individual’s when determining if it has a legitimate interest in using the individual’s data. Data processing must be necessary, and if other methods of achieving the same result are feasible, then legitimate interest won’t apply.

“Legitimate interest can’t protect people,” said Amir Malik, digital marketing lead at Accenture. “The permission procedure is to remove all ambiguity, and legitimate interest is rigidly defined, so can’t be used as a hack. Consent is ultimately required.”

In short, attempting to hide behind legitimate interest won’t work in the long run. Instead, vendors should be proactive in finding ways to use the GDPR as an opportunity to clean up their processes. “Rather than try to slip through the net of GDPR, the ad tech sector should rather reinvent itself, focusing its energy in developing new solutions that fulfill the need for more genuine, earned and not forced engagement with audiences, serving publishers’ and advertisers’ legitimate interest and not their own,” said Alessandro De Zanche, independent consultant and former News UK executive.